Industrial Strength Access Control for Spring Applications
Download as PPTX, PDF3 likes1,239 views
The document discusses the Access Control Service (ACS) for Spring applications, designed to provide fine-grained access control for RESTful APIs and highlight its advantages over OAuth 2.0, which includes limitations in scope-based privileges. It details the use of attribute-based access control (ABAC) principles, emphasizing the dynamic role assignment and attribute inheritance based on user roles and resource attributes. The technology stack supporting ACS includes Apache Cassandra, PostgreSQL, and Spring Boot, with additional resources for documentation and demos available online.
Industrial Strength Access Control for Spring Applications
- 1. Industrial Strength Access Control for Spring Applications By Dario Amiri @darioamiri
- 2. What is ACS? • Access Control Service • Fine-grained access control for RESTful APIs • Available on github • master branch for stable releases • develop branch for cutting edge features • Apache license version 2 • Spring Boot project • Extensions available for Spring Security integration 2
- 3. Why ACS? Limitations of OAuth 2.0 • Scope-based privileges are too coarse-grained • Scopes are tightly coupled to access token • Logout/login required for privilege changes to take effect • Not tuned for making access control decisions per resource request Architectural concerns • Need for a consistent and reusable solution decoupled from application • Need for a consistent way to define access control policies • Need for a sharable and distributed privilege store
- 4. Example Use Case 4 /sites/san-ramonanalyst tom@ge.com /assets/21 /sites/cincy-oh /assets/33 tom@ge.com GET GET Subjects ResourcesActions tom@ge.com is an analyst, with all associated privileges, when he operates on assets at the San Ramon site but not when he operates on assets at the Cincinnati site.
- 5. Components Attribute Based Access Control (ABAC) • Attribute store for • Subjects: entities that do things • Resources: entities that have things done to them • Policy store • How subject and resource attributes combine to determine privileges • Policy evaluation • Given a subject, action, and resource determine if operation is allowed
- 6. What are attributes? • A key value pair • Asserted by a trusted entity • Useful for making authorization decisions
- 7. What are attributes? • tom@ge.com is an analyst • tom@ge.com is a member of the research group role: analyst group: researchers attributes subject tom@ge.com identifier
- 8. What are attributes? • The asset with id 1234 is located at the San Ramon site • The asset with id 1234 belongs to users in the research group site: san-ramon group: researchers attributes resource /assets/1234 identifier
- 9. Breaking down policy evaluation • Client sends a request for authorization • Can a subject perform an action on a resource • Java library support today - route service tomorrow • ACS performs • Attribute discovery • Policy evaluation • Client receives • Authorization decision (permit | deny) • Discovered attributes
- 10. authorization request tom@ge.com subject /assets/1234 resource GET action attribute discovery policy evaluation authorization response PERMIT | DENY decision role: analyst group: researchers tom@ge.com site: san-ramon group: researchers /assets/1234 discovered attributes
- 11. authorization response discovered attributes subject.and(resource).haveSame(‘group’) policy condition attribute discovery role: analyst group: researchers tom@ge.com site: san-ramon group: researchers /assets/1234 discovered attributes AttributeStore authorization request tom@ge.com /assets/1234GET permit
- 12. Implementing RBAC with ACS Hierarchical attributes • Define attributes for roles, groups, etc. • Users can inherit attributes from these o E.g. Create an “role-analyst” subject and assign it attributes o E.g. Have “tom@ge.com” subject inherit attributes from “role-analyst”
- 13. Subject attribute inheritance example org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance
- 14. Resource attribute inheritance example org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance
- 15. Dynamic roles Subject roles depend on the resource accessed • Child subject conditionally inherits parent attributes • User X inherits attribute from role Y when accessing resource Z o tom@ge.com is an analyst for the “san-ramon” site o tom@ge.com is not an analyst for other sites • Subject attributes are scoped by resource attributes
- 16. Scoped attribute inheritance (permit) site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm role: analyst report: asset-performance org: ge site: san-ramon /sites/01 group: research /sites/01/assets/21 report: asset-performance /sites/01/assets/21/reports/72 org: ge site: san-ramon group: research report: asset-performance Allow user access to asset performance report if • The asset belongs to the user’s group • The user is an analyst for the San Ramon site
- 17. Scoped attribute inheritance (deny) site: san-ramon org: ge tenancy-id: 11235 org-ge group: research app: apm group-research role: analyst report: asset-performance role-analyst tom@ge.com org: ge tenancy-id: 11235 group: research app: apm org: ge site: cincy-oh /sites/02 group: research /sites/02/assets/33 report: asset-performance /sites/02/assets/33/reports/51 org: ge site: cincy-oh group: research report: asset-performance Allow user access to asset performance report if • The asset belongs to the user’s group • The user is an analyst for the San Ramon site
- 18. Technology stack runtime Apache Cassandra PostgreSQL java spring boot titan db spring data apache tinkerpop cloud foundry platform uaa spring mvc spring security
- 20. Learn More. Stay Connected. amiri@ge.com @darioamiri @springcentral spring.io/blog @pivotal pivotal.io/blog @pivotalcf http://engineering.pivotal.io
Editor's Notes
- #4: Now I’m going to switch to the subject of ACS and why it exists… 03m00s
- #6: ACS was designed to address the access control limitations of OAuth. It is essentially a comprehensive solution for building a RESTful API that supports Attribute Based Access Control… In order to do this it is… 01m00s
- #7: But what exactly are attributes? 00m30s
- #8: The concept is best explained by example… 01m00s
- #9: Attributes can also apply to resources… 01m00s
- #10: But how do we make the access control decision??? 01m00s
- #11: Here’s a diagram to help visualize the process… 02m00s
- #12: Let’s delve into the ACS side of things… 02m00s
- #13: The above example I just presented pretty basic. ACS can satisfy much more complicated use cases… 01m30s
- #14: Very useful to manage complex systems of user attributes… 01m00s
- #15: Resources can also inherit attributes… 01m00s
- #16: Subject privileges can also depend on what user the subject is trying to access. 02m00s
- #17: 01m00s
- #18: 01m00s
- #19: 02m00s